Security Spending Trends for 2005

With 2005 security budgets in place at most enterprises, the spending has begun.

Expect some changes. Identity management? That’s so 2004. When it comes to network-security spending, this year three things are hot: endpoint-security initiatives, vulnerability management, and new intrusion detection and prevention systems.

For organizations planning to adopt those three types of technology, most will do so soon—before late 2005. For example, by the fourth quarter of 2005, 83 percent of organizations plan to implement intrusion detection or prevention, 74 percent plan on implementing vulnerability management, and 67 percent plan to implement endpoint-security management.

Those results come from the “2005 IT Security Adoption Survey,” conducted in December 2004 by network-security vendor StillSecure. Over 1,400 IT and security personnel, from organizations in the public, private, and government sectors, responded to the survey, the company says.

This year, research firm IDC expects security spending to increase by six percent, versus last year’s five-percent growth. Still, this year it says companies will spend more on business-oriented concerns rather than on only specific point technologies.

What are those business concerns? According to the StillSecure survey, over half of organizations say their biggest driver for network-security spending is simply protecting data. One-fifth of companies say compliance regulations are their biggest concern, while 15 percent say they’re just trying to avoid avoiding network downtime.

Squaring with IDC’s prediction, based on the responses, most organizations seem to have advanced beyond the dominant approach of several years ago: just throwing technology at problems. “The fact that protecting data, regulatory compliance, and preventing downtime are the three biggest areas of concern validates [the fact] that network security is not about deploying technology for technology’s sake, but rather about solving true business and operational challenges,” says Mitchell Ashley, chief technology officer of StillSecure.

Another finding, he says, is that by and large companies are no longer relying solely on one type of technology to defend discrete parts of the network. For example, almost every respondent has already implemented traditional network-security defenses: antivirus software, firewalls, and now VPNs. All major spending growth is now taking place in other areas, as companies adopt a layered approach to security, mixing technology “at the perimeter, network, host, application, and data levels.”

Last year, many companies implemented access-control and user-authentication technologies, with almost 80 percent of companies reporting such technology is now in place. Most of the rest are currently investigating the technology, and “of those who haven’t yet implemented these technologies, 83 percent plan to implement an intrusion detection or prevention solution prior to the fourth quarter of 2005,” says Mitchell.

For planning future spending, vulnerability management and endpoint-policy compliance are popular, with about 40 percent of companies saying they’re interested or currently researching it right now. While about one-third of companies have already implemented vulnerability management, one in 10 companies is currently implementing both it and endpoint policy compliance.

Based on the survey responses, expect the majority of endpoint-compliance technology implementations to not occur before late 2005 at the earliest, perhaps reflecting the currently nascent state of the technology, and the lack of industry standards for making heterogeneous systems interoperate.

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.